Securing Cisco IOS Routers
On most networks, routers are typically used as perimeter devices that connect internal networks to public networks, such as the Internet. For outside users, which include legitimate users and potential attackers, such deployments make routers the first point of entry into the network. It is therefore important to understand the methods available in Cisco IOS to protect routers and their related components. The IINS exam objectives covered in this chapter are as follows:
- Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, and login failure rate and by using IOS login enhancements
- Secure administrative access to Cisco routers by configuring multiple privilege levels
- Secure administrative access to Cisco routers by configuring role-based CLI
- Secure the Cisco IOS image and configuration file
- Secure Cisco routers using the SDM Security Audit feature
- Use the One-Step Lockdown feature in SDM to secure a Cisco router
Securing Administrative Access to IOS Routers
Because routers form an integral part of the network and security infrastructure, it is imperative that these devices are not overlooked in the overall security solution implementation. Cisco IOS devices provide several features that can be used to implement basic security for Command Line Interface (CLI) sessions.
The Cisco IOS CLI is divided into different command modes. Each command mode has its own set of commands available for the configuration, maintenance, and monitoring of router and network operations. The commands available to you at any given time depend on the mode you are in. Entering a question mark (?) at the system prompt, for a particular mode, allows you to obtain a list of commands available within that mode.
The standard order in which a user would access the modes would be user EXEC mode, privileged EXEC mode, global configuration mode, specific configuration modes, configuration submodes, and configuration sub-submodes. In order to gain access to router configuration mode, a user must first gain access to privileged EXEC mode by using the enable [privilege level] command in EXEC mode as illustrated in the following output:
R1>enable ?
<0-15> Enable level view Set into the existing view <cr> |
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level. Access to each privilege level is enabled through separate passwords, which you specify when configuring the privilege level.
In addition to configuring the privilege levels locally on the Cisco networking device, these command privileges can also be implemented using AAA with TACACS+ and RADIUS. For example, TACACS+ provides two ways to control the authorization of router commands on a per-user or per-group basis. The first way is to assign privilege levels to commands and have the router verify with the TACACS+ server whether the user is authorized at the specified privilege level. The second way is explicitly to specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed. AAA, TACACS+, and RADIUS are all described in detail in the next chapter.
If you do not include a specific privilege level at the end of the enable command, Cisco IOS automatically assumes access using a privilege level of 15; therefore, the Level 15 must be used, otherwise authentication will not succeed. The local password for different privilege levels can be set via the enable password level [level] [password], or, more preferably, the enable secret level [level] [password] command.
NOTE: It is important to remember that while the enable password command is a valid command, it uses a weak hashing algorithm and can be cracked with relative ease, and is therefore not recommended. In addition to this, by default, the password is stored in unencrypted form in the router configuration, unless the service password-encryption configuration command is used. This command should not be used if the enable secret command is available. It is retained in Cisco IOS software for the purposes of maintaining backward compatibility with older Cisco IOS software versions.
However, in recent Cisco IOS versions (i.e. Cisco IOS 12.3 and later), whenever the enable password level [level] [password] command is used, the router will automatically change this command to the enable secret level [level] [password] command, will automatically encrypt the password (using the MD5 hash algorithm), and will print the password in encrypted form without the need for any additional configuration, as illustrated in the following:
R1(config)#enable password level 1 cisco123
% Converting to a secret. Please use “enable secret” in the future.
R1(config)#end R1# R1#show running-config | include enable enable secret level 1 5 $1$g1uI$LOSsygicI1C02.8xCOnjO1 R1# R1# |
Referring back to the use of the enable secret command, the following example illustrates the steps required to configure an enable password for Level 15 access on a Cisco IOS device. The privilege level can then be validated by using the show privilege command:
R1(config)#enable secret level 15 security456
R1(config)#exit R1#disable R1> R1>enable 15 Password: R1# R1#show privilege Current privilege level is 15 R1# |
The use of different enable passwords for different CLI privilege levels typically goes hand-in-hand with the restriction of command execution at certain privilege levels via the privilege exec [all|level] [level] [command] command. It is important to keep in mind that before Cisco IOS Releases 12.0(22)S and 12.2(13)T, each command in a privilege level had to be specified with a separate privilege command. However, in Cisco IOS Releases 12.0(22)S, 12.2(13)T and later releases, a wildcard option, specified by the keyword all, was introduced. This keyword allows administrators to configure access to multiple commands with only one privilege command.
By using the all keyword, you can specify a privilege level for all commands that begin with the string you enter. In other words, the all keyword allows you to grant access to all command-line options and sub-options for a specified command. For example, if you wanted to create a privilege level to allow users to configure all dynamic routing protocols (i.e. via the use of the router command), the following configuration would be implemented on the router:
R1(config)#privilege exec all level 15 router
R1(config)# |
The use of the wildcard all in the output illustrated above negates the need to have to configure a privilege command for all routing protocols, for example, privilege exec level 15 router ospf, privilege exec level 15 router eigrp, and privilege exec level 15 router rip, to set a privilege level of 15 for OSPF, EIGRP, and RIP configuration.
If the command specified in the privilege command used with the all keyword contains a configuration sub-mode, all commands in the sub-mode of that command will also be set to the specified privilege level. An example of sub-mode configuration would be the configuration of a sub-interface off a main router interface, such as an Ethernet or Frame Relay interface.
When privilege levels are used for commands, users must use the appropriate password (and level) in order to be allowed to execute restricted commands. For example, in the following configuration, all show commands are assigned a privilege level of 7, while all debug * commands are assigned a privilege level of 9. These two levels are assigned two different passwords: security7 and security9, respectively.
R1(config)#privilege exec all level 7 show
R1(config)#privilege exec all level 9 debug R1(config)#enable secret level 7 security7 R1(config)#enable secret level 9 security9 R1(config)#exit R1# |
Based on this configuration, the Level 7 password will enable the user to execute any show commands, as well as their options. However, no debug commands will be allowed. On the other hand, logging in with the Level 9 password automatically grants access to the Level 7 show commands (because they are of a lower privilege Level), as well as any debug commands and their options, as illustrated in the following output:
R1>enable 7
Password: R1# R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.1.1 YES NVRAM up up Serial0/0 10.1.1.1 YES NVRAM down down R1# R1# R1#debug ip packet ^ % Invalid input detected at ‘^' marker.
R1# R1#disable R1> R1> R1>enable 9 Password: R1# R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.1.1 YES NVRAM up up Serial0/0 10.1.1.1 YES NVRAM down down R1# R1#debug ip packet IP packet debugging is on R1# |
Although the privilege command is typically used to restrict access to the Cisco IOS EXEC, it is important to know that it can also be used to restrict access to configuration commands as well. The same configuration logic is applicable to the restriction of configuration commands, as that which applies to EXEC commands. For example, to allow a user with a privilege level of 7 to access configuration mode, but restrict them to only routing protocol configuration, the following configuration would be implemented on the router:
R1(config)#enable secret level 7 mypassword
R1(config)#privilege exec level 7 configure terminal R1(config)#privilege configure all level 7 router R1(config)#line vty 0 4 R1(config-line)#login local R1(config-line)#exit R1(config)#exit R1# |
This configuration can then be tested by accessing the router and logging in using the Level 7 secret, as illustrated in the following output:
R1>enable 7
Password: R1# R1#show privilege Current privilege level is 7 R1# R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router ospf 1 R1(config-router)#exit R1(config)#ip route 10.0.0.0 255.255.255.0 fastethernet0/0 ^ % Invalid input detected at ‘^' marker.
R1(config)#hostname r1 ^ % Invalid input detected at ‘^' marker.
|
As illustrated in the output above, the Level 7 user is able to log in to the router and is immediately put into privileged mode, which allows the user to enter the configure terminal command that has been manually configured as a level 7 command. Additionally, the user is successfully able to enable OSPF routing on R1, using a process ID of 1 because all configuration commands that begin with router are permitted for users with a privilege Level of 7.
However, as can also be seen, the user is unable to configure a static route, or even change the hostname of the router, because these commands still default to Level 15 access, which is the default privilege level for all configuration commands in Cisco IOS software, and are therefore unavailable to or invalid for a Level 7 user.
While using the enable secret and privilege exec commands provide security for local CLI access, consideration must also be given to remote CLI access. Remote CLI sessions are created between a host (e.g. a PC) and a networking device (e.g. a router) over a network using a remote terminal access application, such as Telnet and Secure Shell (SSH). Local CLI sessions start in user EXEC mode. It is important to remember that terminal lines, such as the Console and VTY lines, can be used for both local and remote CLI sessions.
These lines can be secured using passwords, which is performed via the use of the password command. Unlike the password used to enter EXEC mode, all passwords specified on terminal lines are Level 1 passwords, and this cannot be changed. This means that once the password has been entered, the user is placed into EXEC mode and must use the enable command and specify the correct password to gain access to privileged EXEC mode. The configuration for both the Console and VTY lines is similar and is performed as follows:
R1(config)#line con 0
R1(config-line)#password security R1(config-line)#exit R1(config)#line vty 0 4 R1(config-line)#password security R1(config-line)#exit R1(config)#exit R1# |
When configuring terminal-line passwords, these passwords are treated in the privileged EXEC password configured using the enable password command and are not encrypted by default. This means that these passwords are viewable in plain text in the running configuration of a router, as illustrated in the following output:
R1#show running-config | begin line
line con 0 password security line aux 0 line vty 0 4 password security login ! ! end |
In order to change this default behaviour, the router must be configured with the service password-encryption global configuration command, as follows:
R1#config t
Enter configuration commands, one per line. End with CNTL/Z. R1(config)#service password-encryption R1(config)#exit R1#show running-config | begin line line con 0 password 7 111A1C06020002181D line aux 0 line vty 0 4 password 7 03175E08131D285857 login ! ! end |
Even though the passwords are now encrypted, it is important to remember that the encryption algorithm used is the same as that used for the enable password command and is very weak.
In addition to simply setting passwords, the exec-timeout command can also be used for remote CLI sessions inbound on terminal lines. This command is used to set the interval that the EXEC command interpreter waits until user input is detected.
By default, this value is ten minutes, which means that if a user is connected via the Console, for example, the EXEC process will remain idle for up to ten minutes before the user must log in again. Naturally, this is a relatively excessive amount of time; therefore, it is recommended that this value be lowered to enhance security to the device, as illustrated in the following example where the EXEC process timeout is reduced to one and a half minutes for VTY 0:
R1(config)#line vty 0
R1(config-line)#exec-timeout 1 30 R1(config-line)#exit R1(config)#exit R1# R1# R1#show line vty 0 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 66 VTY – – – – – 0 0 0/0 –
Line 66, Location: “”, Type: “” Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 9600/9600 Status: No Exit Banner Capabilities: none Modem state: Idle Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none – – none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch 00:01:30 never none not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30 Autoselect Initial Wait not set Modem type is unknown. Session limit is not set. Time since activation: never Editing is enabled. History is enabled, history size is 20. DNS resolution in show commands is enabled Full user help is disabled Allowed input transports are pad telnet rlogin mop v120 ssh. Allowed output transports are pad telnet rlogin mop v120 ssh. Preferred transport is telnet. No output characters are padded No special data dispatching characters |
In the same manner that user workstations can and should be locked if active programs are running, the terminal lines in Cisco IOS routers can also be locked by using the lockable line configuration command. This command requires a valid password to lock and unlock the terminal line and provides an additional layer of security, as follows:
R1(config)#line vty 0 4
R1(config-line)#lockable R1(config-line)#exit R1(config)#exit R1# R1#lock Password: Again:
Locked
Password: R1# R1#show line vty 0 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 66 VTY – – – – – 0 0 0/0 –
Line 66, Location: “”, Type: “” Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 9600/9600 Status: No Exit Banner Capabilities: Lockable Modem state: Idle Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none – – none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch never never none not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30 Autoselect Initial Wait not set Modem type is unknown. Session limit is not set. Time since activation: never Editing is enabled. History is enabled, history size is 20. DNS resolution in show commands is enabled Full user help is disabled Allowed input transports are pad telnet rlogin mop v120 ssh. Allowed output transports are pad telnet rlogin mop v120 ssh. Preferred transport is telnet. No output characters are padded No special data dispatching characters |
In addition to setting different passwords for different privilege levels, Cisco IOS software also provides additional commands that can be used (and should be used) to further secure the router. These commands are the security passwords min-length <length> and the security authentication failure rate <threshold-rate> log commands.
The security passwords min-length <length> command is a global command that sets the minimum password length for user, enable, and terminal line passwords. This command is used to specify the minimum length of a configured password, which is six characters by default. As stated in Chapter 1, it is good practice to ensure that all passwords are no less than eight characters and contain letters, numbers, and symbols.
This best practice rule can be put into practice on Cisco IOS routers via the use of this command. For example, if this command is used to specify that passwords must be no less than ten characters in length and the user attempts to create a password shorter than that, the following error message will be received:
R1(config)#security passwords min-length 10
R1(config)#enable secret ccnapass % Password too short – must be at least 10 characters. Password configuration failed R1(config)# |
The security authentication failure rate <threshold-rate> log command is used to configure the number of allowable unsuccessful login attempts, which is ten by default. This default value should generally be shortened to ensure that no one has up to ten attempts to crack the router password. For example, setting a threshold of two or three is generally good practice.
When the threshold is exceeded (before a 15-second delay) this command generates a log message indicating the failure, thus quickly allowing administrators to be aware of any possible attempts to gain unauthorized access into the router without the correct credentials, which could very well be a type of password attack, for example.
When using the security authentication failure rate <threshold-rate> log command, it is important to remember that logging must be enabled on the router, either locally or to a remote Syslog server. Syslog is a standard for forwarding log messages across an IP network to a remote server running a Syslog daemon. These log messages are sent via UDP, using a destination port of 514. Syslog is explained in detail later in this guide.
For example, to specify that a log message must be generated and sent to Syslog server 192.168.1.254, in the event of two unsuccessful attempts to access the router before a 15-second delay, the following configuration would be implemented:
R1(config)#logging on
R1(config)#logging host 192.168.1.254 R1(config)#security authentication failure rate 2 log R1(config)#exit R1# |
Usernames, User Passwords, and Privilege Levels
In Cisco IOS software, in addition to configuring passwords and setting different privilege levels for commands, administrators also have the capability to create local user accounts, assign those accounts specific privilege levels, which can be used in conjunction with the command restrictions configured using the privilege command, and create passwords for those users. Cisco IOS devices can then be configured so that local and remote sessions to the router are granted access based on configured username and password pairs.
Although the use of the username command is introduced and explained in the CCNA course, it is important to remember that before Cisco IOS Releases 12.0(18)S and 12.2(8)T, there were two types of passwords that were associated with usernames: Type 0, a clear text password visible to any user who has access to privileged mode on the router; and Type 7, a password encrypted by the service password-encryption command.
However, in Cisco IOS Releases 12.0(18)S, 12.2(8)T, and later releases, the new secret keyword for the username command allows you to configure Message Digest 5 (MD5) encryption for user passwords. This is the same encryption algorithm used by the enable secret command. This provides greater security than the algorithm used by the enable password command, which was also used to generate the password hash for user accounts in older IOS versions.
Configuring usernames, their passwords, and privileges in Cisco IOS software is a straightforward task that is performed using the username [name] privilege [level] secret [password] global configuration command. In order to allow terminal lines to authenticate users based on configured usernames, the login local configuration command is required under the terminal lines (i.e. under line con 0, for example).
The following example illustrates how three usernames are configured on a Cisco IOS router. The first user (BASIC) is assigned a privilege level of 1; the second user (INTERMEDIATE) is assigned a privilege level of 7; and the final user (EXPERT) is assigned a privilege level of 15:
R2(config)#username BASIC privilege 1 secret basic
R2(config)#username INTERMEDIATE privilege 7 secret intermediate R2(config)#username EXPERT privilege 15 secret expert R2(config)#exit R2# R2#show running-config | include username username BASIC secret 5 $1$49Tu$Wi3WXbLGNOM1pl2MEgiig0 username INTERMEDIATE privilege 7 secret 5 $1$jjnj$tpZzs1l7RpxRwAmN1eLSR/ username EXPERT privilege 15 secret 5 $1$giSy$qLsRy0r4Kfpi427CeiiT61 |
In addition to the configured usernames, administrators can also use the privilege command to set restrictions on the commands the users can enter. For example, to restrict the user BASIC (Level 1) to only the ping and traceroute commands, and the user INTERMEDIATE (Level 7) to all show commands, the following configuration would be implemented on the router:
R2(config)#privilege exec all level 1 ping
R2(config)#privilege exec all level 1 traceroute R2(config)#privilege exec all level 7 show R2(config)#exit R2# User Access Verification
Username: BASIC Password: R2>show version ^ % Invalid input detected at ‘^' marker.
R2>ping 172.16.1.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R2>exit
User Access Verification
Username: INTERMEDIATE Password: R2# R2#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.1.2 YES NVRAM up up Serial0/0 10.1.1.2 YES NVRAM up up R2#debug ip packet ^ % Invalid input detected at ‘^' marker.
R2# |
In addition to setting privilege levels, the username [name] secret [password] autocommand [command] command can also be used to further restrict users by immediately executing a specified command for a particular user and then logging the user off automatically. When using the autocommand feature, it is important to remember that the user must have the appropriate privilege level in order to execute the command specified in the command string; otherwise, this feature will simply not work. For example, to configure a router to automatically execute the show ip interface brief command for a user (AUTO) and then automatically log the user off, the following configuration would be implemented on the router:
R2(config)#username AUTO secret autosecret
R2(config)#username AUTO autocommand show ip interface brief R2(config)#exit R2# |
In the configuration illustrated above, it is important to remember that, by default, all show commands are available for Level 1 users. Therefore, the privilege command does not need to be used and the user’s privilege level can also remain the same. The autocommand feature can then be validated by logging in as AUTO. The router simply prints the specified output and automatically terminates the session, as illustrated in the following output:
R2>login
Username: AUTO Password: Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.1.2 YES NVRAM up up Serial0/0 10.1.1.2 YES NVRAM up up
R2 con0 is now available
Press RETURN to get started.
|
Cisco IOS Login Block
The Cisco IOS Login Block feature, which is a part of the Cisco IOS Login Enhancements feature set, allows administrators to enhance the security of a router by configuring options to automatically block further login attempts when a possible DoS or password attack is detected.
By enabling the Cisco IOS Login Block feature, DoS attacks, such as TCP SYN floods or SSH Process Table attacks, that can be used to prevent legitimate administrators from logging in to the device, or that floods the device so that it ceases to route or forward packets as expected, can be mitigated. Additionally, this feature can also be used to slow down dictionary attacks. The prevention of these types of attacks is performed by enforcing a quiet period during which the router will not accept any incoming connection requests if multiple failed connection attempts to the router are detected, which effectively protects the router from an attack.
The login block and login delay options introduced by this feature can be configured for Telnet, SSH, or HTTP connections. This feature provides enhanced security over the security authentication failure rate <threshold-rate> log functionality, which can only send a log message in the event of unsuccessful login attempts within a specified interval, but does not automatically ‘lock down’ the router to prevent any further login attempts.
It is important to keep in mind, however, that even though the router denies connection requests during the quiet period, it is possible to use an ACL (with the addresses that you know to be associated with system administrators) to allow connections only from those addresses. This ensures that administrators have the ability to manage devices during the quiet period.
In order to implement successfully the Cisco IOS Login Block feature, it is important to have a solid understanding of the new CLI options available to enable this feature correctly. The commands associated with this feature are as follows:
- The login block-for [seconds] attempts [tries] within [seconds] command
- The login quiet-mode access-class [ACL] command
- The login delay [seconds] command
- The login on-failure log every [number] command
- The login on-success log every [number] command
The login block-for [seconds] attempts [tries] within [seconds] command is the very first command that must be issued before any other login command can be used! This command is used to configure the router for login parameters and specifies the amount of time the router should remain in the quiet period if the administrator-specified number of failed attempts is exceeded within the specific period of time.
For example, to configure the router to enter quiet mode for five minutes if three unsuccessful login attempts are received within two minutes, the following configuration would be implemented:
R1(config)#login block-for 300 attempts 3 within 120
R1(config)#exit R1# R1#show login A default login delay of 1 seconds is applied. No Quiet-Mode access list has been configured.
Router enabled to watch for login Attacks. If more than 3 login failures occur in 120 seconds or less, logins will be disabled for 300 seconds.
Router presently in Normal-Mode. Current Watch Window Time remaining: 107 seconds. Login failures for current window: 0. Total login failures: 0. |
The login quiet-mode access-class [ACL] command specifies an ACL (named or numbered) that is to be applied to the router when it switches to quiet mode to allow access to the subnets or addresses specified in the ACL. Even though this is an optional command, it is important to keep in mind that if this command is not enabled then all login requests, legitimate and otherwise, will be denied during quiet mode.
Therefore, it is good practice to ensure that an ACL is configured and this command is used so administrators still have access to the device during the quiet period. For example, to configure the router to allow administrators from the 172.16.1.0/24 subnet access to the router during the quiet period, the following configuration would be implemented:
R1(config)#login quiet-mode access-class 100
R1(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 any R1(config)#exit R1# R1#show login A default login delay of 1 seconds is applied. Quiet-Mode access list 100 is applied.
Router enabled to watch for login Attacks. If more than 3 login failures occur in 120 seconds or less, logins will be disabled for 300 seconds.
Router presently in Normal-Mode. Current Watch Window Time remaining: 15 seconds. Login failures for current window: 0. Total login failures: 0. |
The login delay [seconds] command is used to configure a delay between successive login attempts. This is an optional command because, by default, the router uses a default login delay of one second, as illustrated in the output of the show login command:
R1#show login
A default login delay of 1 seconds is applied. Quiet-Mode access list 100 is applied.
Router enabled to watch for login Attacks. If more than 3 login failures occur in 120 seconds or less, logins will be disabled for 300 seconds.
Router presently in Normal-Mode. Current Watch Window Time remaining: 113 seconds. Login failures for current window: 0. Total login failures: 0. |
This command can be used to change this value to any other value that the administrator so desires. For example, to change the delay interval between successive login attempts to five seconds, the following configuration would be implemented on the router:
R1(config)#login delay 5
R1(config)#end R1# R1#show login A login delay of 5 seconds is applied. Quiet-Mode access list 100 is applied.
Router enabled to watch for login Attacks. If more than 3 login failures occur in 120 seconds or less, logins will be disabled for 300 seconds.
Router presently in Normal-Mode. Current Watch Window Time remaining: 27 seconds. Login failures for current window: 0. Total login failures: 0. |
The login on-failure log every [number] command is used to generate Syslog messages for failed login attempts. The [number] option generates a log message for the specified number of failed login attempts. When this optional command is configured, it is important to enable logging capabilities on the router, using either the local buffer or a remote Syslog server.
For example, to configure a router to generate a Syslog message for every two (2) failed login attempts, to both the local buffer and a remote Syslog server with the IP address 172.16.1.254, the router would be configured as follows:
R1(config)#login on-failure log every 2
R1(config)#logging on R1(config)#logging buffered informational R1(config)#logging trap informational R1(config)#logging host 172.16.1.254 R1(config)#exit R1# R1#show login A login delay of 5 seconds is applied. Quiet-Mode access list 100 is applied. Every 2 failed login is logged.
Router enabled to watch for login Attacks. If more than 3 login failures occur in 120 seconds or less, logins will be disabled for 300 seconds.
Router presently in Normal-Mode. Current Watch Window Time remaining: 91 seconds. Login failures for current window: 0. Total login failures: 0. |
The login on-success log every [number] command performs the same functions as the login on-failure log every [number] command, with the exception that it provides logging for successful login attempts.
For example, to configure a router to generate a Syslog message for every successful login attempt, to both the local buffer and a remote Syslog server with the IP address 172.16.1.254, the router would be configured as follows:
R1(config)#login on-success log every 1
R1(config)#logging on R1(config)#logging buffered informational R1(config)#logging trap informational R1(config)#logging host 172.16.1.254 R1# R1#show login A login delay of 5 seconds is applied. Quiet-Mode access list 100 is applied. All successful login is logged. Every 2 failed login is logged.
Router enabled to watch for login Attacks. If more than 3 login failures occur in 120 seconds or less, logins will be disabled for 300 seconds.
Router presently in Normal-Mode. Current Watch Window Time remaining: 72 seconds. Login failures for current window: 0. Total login failures: 0. |
To validate Login Block configuration and parameters, the show login command – which has already been illustrated above – is used. This command can also be used with the failures keyword, which is used to display information related only to failed login attempts, as follows.
R1#show login ?
failures Display Login failures in the current watch period | Output modifiers <cr>
R1#show login failures *** No logged failed login attempts with the device.*** |
It is important to remember that logging information should also be contained in the local router buffer (log). The show logging command can be used to view any information pertaining to the Cisco IOS Login Block feature (depending on feature configuration) as follows:
R1#show logging
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level informational, 8 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled Trap logging: level informational, 37 message lines logged Logging to 172.16.1.254 (udp port 514, audit disabled, authentication disabled, encryption disabled, link up), 10 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled
Log Buffer (4096 bytes):
*Mar 1 01:32:37.456: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 01:33:52.515: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 01:34:11.863: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 01:36:36.127: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 01:36:52.318: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 0.0.0.0] [localport: 0] at 01:36:52 UTC Fri Mar 1 2002 *Mar 1 01:37:32.031: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 0.0.0.0] [localport: 0] at 01:37:32 UTC Fri Mar 1 2002 |
Cisco IOS Role-based Command Line Interface
The Cisco IOS role-based CLI access feature allows an administrator to define views, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands.
Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information. In other words, a view can define what commands are accepted and what configuration information is visible. The role-based CLI access feature provides greater administrative control of commands than the use of the username and the privilege commands to accomplish the same goal.
Therefore, if the router platform you are working on supports CLI views, this is the recommended method to ensure detailed access control capability for administrators, which improves the overall security and accountability of Cisco IOS software.
In order to configure the role-based CLI access feature, two prerequisites must be met. The first prerequisite is that AAA (Authentication, Authorization, and Accounting – which will be described in detail later in this guide) must be enabled in order to use the role-based CLI access feature. This is performed by using the aaa new-model global configuration command, as illustrated in the following output:
R2#config t
Enter configuration commands, one per line. End with CNTL/Z. R2(config)#aaa new-model R2(config)#exit R2# |
The second prerequisite is that the system must be in root view. Root view is a special view mode that has all of the access privileges as a user who has Level 15 privileges in Cisco IOS software. However, the difference between a user who has Level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. It is also important to remember that while users assigned a certain privilege level have access to all commands at and below that privilege level (e.g. a user with a privilege level of 10 has access to all commands assigned privilege levels 1–10), users in CLI views are restricted only to the commands available in that view.
In addition to this, when users are in a CLI view, they will only have access to the commands that have been added to that view by the root view user. Enabling the root view is accomplished by using the enable view EXEC command and entering the Level 15 secret command if prompted, as illustrated in the following output:
R2#disable
R2> R2>enable view Password:
R2#show privilege Currently in View Context with view ‘root' |
Once these two prerequisites have been met, administrators can begin to configure views using the parser view [name] global configuration command. This command allows you to create the name of a parser view to be used. Once the name is created, the router then goes into view configuration mode, which allows the router to specify a password for the configured view, as well as the commands that are available within that view.
The password for a particular view is set by using the secret command within view configuration mode. It is important to remember that you must associate a password with a view. If you do not associate a password, and you attempt to add commands to the view, a system message such as the following will be displayed:
%Password not set for view BASIC |
Commands are added to views via the commands [mode] (include | include-exclusive | exclude) [all] [interface (name) | command] command. In order to understand the correct use of this command, it is important to understand the options presented and what they mean. These options are described in the following table:
Table 2.1. IOS Command Options
Option | Description |
mode | This option is used to specify the router mode in which the command that will be specified exists. For example, the show command would exist in EXEC mode, while the router command would exist in CONFIGURE mode. |
include | This option adds a command or an interface to the view and allows the same command or interface to be added to another view. |
include-exclusive | This option adds a command or an interface to the view and excludes the same command or interface from being added to all other views. |
exclude | This option excludes a command or an interface from the view. In other words, users cannot access a command or an interface excluded by this option for the particular view they are in. |
all | This option is a wildcard that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view. In essence, this performs the same function as the all keyword in the privilege command that we learned about earlier. |
interface (name) | This option is used to specify the interface that is added to the view. |
command | This option is used to specify the command that is added to the view. |
To reinforce the configuration of views, we will go through the required steps using a practical example, as follows, where four (4) different views will be created: Level-1, Level-2, Level-3, and Level-4. The Level-1 view will be restricted to only ping and traceroute commands; the Level-2 view will be restricted to only show commands; the Level-3 view will be restricted to only static and dynamic routing configuration commands, as well as all interface configuration commands; and, finally, the Level-4 view will be restricted to only debug and undebug commands. In addition to this, the include-exclusive option is used in all configured view configuration to ensure that commands are restricted only to those views, as illustrated in the following output:
R2(config)#parser view Level-1
R2(config-view)#secret level1 R2(config-view)#commands exec include-exclusive all ping R2(config-view)#commands exec include-exclusive all traceroute R2(config-view)#exit R2(config)#parser view Level-2 R2(config-view)#secret level2 R2(config-view)#commands exec include-exclusive all show R2(config-view)#exit R2(config)#parser view Level-3 R2(config-view)#secret level3 R2(config-view)#commands exec include-exclusive all configure R2(config-view)#commands configure include-exclusive all router R2(config-view)#commands configure include-exclusive all ip route R2(config-view)#commands configure include-exclusive all interface R2(config-view)#exit R2(config)#parser view Level-4 R2(config-view)#secret level4 R2(config-view)#commands exec include-exclusive all debug R2(config-view)#commands exec include-exclusive all undebug R2(config-view)#exit R2(config)#exit R2# |
The view configuration can be validated by the administrator via the use of the enable view [name] command and by entering the correct password for the specified view. Once successfully logged in to a particular view, the question mark can be used to view the commands available within that view, as illustrated in the following output for the Level-1 and Level-4 views:
R2>enable view Level-1
Password:
R2#? Exec commands: enable Turn on privileged commands exit Exit from the EXEC ping Send echo messages show Show running system information traceroute Trace route to destination
R2#show ? parser Show parser commands
R2#show parser view Current view is ‘Level-1'
R2#show ip interface brief ^ % Invalid input detected at ‘^' marker.
R2#ping 172.16.1.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R2#exit
Press RETURN to get started.
R2> R2> R2>enable view Level-4 Password:
R2#? Exec commands: debug Debugging functions (see also ‘undebug') enable Turn on privileged commands exit Exit from the EXEC show Show running system information undebug Disable debugging functions (see also ‘debug')
R2#show parser view Current view is ‘Level-4' R2# R2#show ip interface brief ^ % Invalid input detected at ‘^' marker.
R2#debug ip packet IP packet debugging is on R2# R2#undebug all All possible debugging has been turned off |
In addition to creating standard views, it is also possible to create a superview. A superview consists of one or more already configured CLI views, which allow users to define what commands are accepted and what configuration information is visible. Superviews easily allow a network administrator to assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users. Superviews contain the following characteristics:
- A CLI view can be shared among multiple superviews. In other words, standard CLI views can belong to more than one superview.
- Commands cannot be configured for a superview. Therefore, administrators must add commands to a CLI view and add that CLI view to the superview.
- Users who are logged in to a superview can access all of the commands that are configured for any of the CLI views that are part of the superview.
- Each superview has a password that is used to switch between superviews or from a CLI view to a superview.
- Deleting a superview will not also delete all CLI views associated with that superview. In order words, deleting a superview does not delete the standard views that are associated with that superview. If CLI views need to be deleted, the administrator must manually delete them while logged in to the root view.
When configuring superviews, the secret command is used to configure the password for the superview, in the same manner as in standard views. However, unlike standard CLI views, there is no commands option in superviews. The only command available is the view command, which allows administrators to add standard CLI views to the superview.
Adding to the view configuration performed earlier, the following configuration creates three (3) superviews. The first superview (LEVEL-1-2) will include all commands available from the Level-1 and Level-2 standard CLI views, which were previously configured. The second superview (LEVEL-3-4) will include all commands available from the Level-3 and Level-4 standard CLI views, which were also previously configured. And, finally, the third superview (LEVEL-ALL) will contain commands available in all four standard views:
R2>enable view
Password:
R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#parser view LEVEL-1-2 superview R2(config-view)#? View commands: default Set a command to its defaults exit Exit from view configuration mode no Negate a command or set its defaults secret Set a secret for the current view view View to be added to SuperView
R2(config-view)#secret level12 R2(config-view)#view Level-1 R2(config-view)#view Level-2 R2(config-view)#exit R2(config)#parser view LEVEL-3-4 superview R2(config-view)#secret level34 R2(config-view)#view Level-3 R2(config-view)#view Level-4 R2(config-view)#exit R2(config)#parser view LEVEL-ALL superview R2(config-view)#secret levelall R2(config-view)#view Level-1 R2(config-view)#view Level-2 R2(config-view)#view Level-3 R2(config-view)#view Level-4 R2(config-view)#exit R2(config)#exit R2# R2#show parser view Current view is ‘root' R2# R2#show parser view all Views/SuperViews Present in System: Level-1 Level-2 Level-3 Level-4 LEVEL-1-2 * LEVEL-3-4 * LEVEL-ALL * ——-(*) represent superview——- |
As is the case with standard CLI views, the enable view [name] command followed by the password is used to log in to superviews. Again, a question mark can be used to validate the command options available to that particular view, as illustrated in the following output:
R2 con0 is now available
Press RETURN to get started.
R2>enable view LEVEL-1-2 Password:
R2#? Exec commands: enable Turn on privileged commands exit Exit from the EXEC ping Send echo messages show Show running system information traceroute Trace route to destination R2# R2#exit
R2 con0 is now available
Press RETURN to get started.
R2> R2>enable view LEVEL-3-4 Password:
R2#? Exec commands: configure Enter configuration mode debug Debugging functions (see also ‘undebug') enable Turn on privileged commands exit Exit from the EXEC show Show running system information undebug Disable debugging functions (see also ‘debug') R2# R2#exit
R2 con0 is now available
Press RETURN to get started. R2> R2> R2> R2>enable view LEVEL-ALL Password:
R2#? Exec commands: configure Enter configuration mode debug Debugging functions (see also ‘undebug') enable Turn on privileged commands exit Exit from the EXEC ping Send echo messages show Show running system information traceroute Trace route to destination undebug Disable debugging functions (see also ‘debug') |
Securing Cisco IOS Router Files and Images
The Cisco IOS resilient configuration feature, available in Cisco IOS 12.2SX and 12.4, enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage, which include NVRAM and flash memory.
This feature is intended to speed up the recovery process in the event that a router has been compromised and its operating software and configuration data have been erased from its persistent storage. This is possible because the Cisco IOS resilient configuration feature maintains a secure working copy of the router image and the startup configuration (NVRAM) at all times and the user cannot remove these secure files. This set of image and router running configuration is referred to as the primary bootset. The resilient configuration feature has the following characteristics:
- The copy of the running configuration that was in the router when the feature was first enabled is used as the configuration file in the primary bootset.
- The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.
- The feature automatically detects Cisco IOS image or configuration version mismatch.
- Only local storage (i.e. on the router itself) is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.
- The feature can be disabled only through a console session, which means that the administrator must have physical access to the router to perform this, enhancing security.
The Cisco IOS resilient configuration feature is very straightforward to implement. In order to save a primary bootset to a secure archive in persistent storage, only two configuration commands are required. The first configuration command, the secure boot-image command, is used to enable Cisco IOS image resilience. The second configuration command, the secure boot-config command, is used to store a secure copy of the primary bootset in persistent storage.
Although the IOS resilient configuration feature provides enhanced security for Cisco IOS routers, it is important to understand that it has several restrictions. The first major restriction is that this feature is available only on platforms that support a Personal Computer Memory Card International Association (PCMCIA) Advanced Technology Attachment (ATA) disk. In addition to this, even on these devices, there must be enough space on the storage device to accommodate at least one Cisco IOS image (two for upgrades) and a copy of the running configuration, and it is required that IOS Files System (IFS) support for secure file systems is also supported by the software. This reduces the platforms that this feature can be implemented on.
Another restriction is that it may be possible to force removal of secured files using an older version of Cisco IOS software that does not contain file system support for hidden files. In other words, booting up the router using an older image that does not support the IOS resilient configuration feature effectively negates the security afforded by this feature.
In addition, as previously mentioned, you cannot secure a bootset with an image loaded from the network – i.e. from a TFTP or FTP server residing on the network. The running image must be loaded from persistent storage to be secured as primary.
Finally, it is important to remember that secured files will not appear on the output of a dir command issued from the EXEC shell because the IFS prevents secure files in a directory from being listed. Additionally, it is important to remember that the Cisco IOS image will not be visible in the output of the show flash command. Instead, use the show secure bootset command to verify archive existence. However, ROM monitor (ROMMON) mode does not have any such restriction and can be used to list and boot secured files.
In addition to the Cisco IOS resilient configuration feature, administrators can also leverage the IOS image verification. This feature automatically allows administrators to verify the integrity of Cisco IOS images, thus ensuring that the image is protected from corruption (accidental or otherwise), which can occur at any time during transit, starting from the moment the files are generated by Cisco until they reach the user.
This negates the need for administrators to validate manually the IOS image MD5 hash printed on the Cisco download website with one generated on their own server before verifying that an image has not been corrupted, because the MD5 hashes are the same.
To enable this feature, the file verify auto global configuration command must be configured on the router. Next, after issuing the file verify auto command, each image that is copied or reloaded (i.e. when the router reboots) will automatically be verified. This is illustrated in the following output on a router that has been configured to verify automatically the Cisco IOS image and is then reloaded (rebooted):
R2#config t
Enter configuration commands, one per line. End with CNTL/Z. R2(config)#file verify auto R2(config)#end R2# R2#copy system:running-config nvram:startup-config Destination filename [startup-config]? Building configuration… [OK]R2# R2# R2#reload Verifying file integrity of flash:/c2600-advsecurityk9-mz.124-15.T9.bin………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..Done! Embedded Hash MD5 : 7F57E6DA1A57A0EC80AF4215F80967B8 Computed Hash MD5 : 7F57E6DA1A57A0EC80AF4215F80967B8 CCO Hash MD5 : ABCA61DDB615FB5722CEC3303B9A8DDC Signature Verified
Proceed with reload? [confirm] |
If the file verify auto configuration command has not been applied globally onto the router, it is still possible to verify the Cisco IOS image when copying it from its location or when the router is rebooted (reloaded). To verify the Cisco IOS image when copying it, the copy /verify command is used. It is important to keep in mind that the basic functionality and options of the copy /verify command still remain the same, as illustrated in the following output:
R2#copy /verify ?
/erase Erase destination file system. archive: Copy from archive: file system cns: Copy from cns: file system flash: Copy from flash: file system ftp: Copy from ftp: file system http: Copy from http: file system https: Copy from https: file system null: Copy from null: file system nvram: Copy from nvram: file system rcp: Copy from rcp: file system running-config Copy from current system configuration scp: Copy from scp: file system startup-config Copy from startup configuration system: Copy from system: file system tar: Copy from tar: file system tftp: Copy from tftp: file system tmpsys: Copy from tmpsys: file system xmodem: Copy from xmodem: file system ymodem: Copy from ymodem: file system |
To verify an image when the router boots (assuming the file verify auto command has not been used), the reload /verify command is used. As is the case with the copy /verify command, the reload /verify command still performs the same basic function and still presents the same options, as illustrated in the following output:
R2#reload /verify ?
LINE Reason for reload at Reload at a specific time/date cancel Cancel pending reload in Reload after a time interval <cr> |
The final topic we are going to learn about in this section is the Secure Copy (SCP) feature that is available in Cisco IOS routers. SCP provides a secure and authenticated method for copying router configuration or image files. SCP relies on Secure Shell (SSH).
Before SCP can be used, the administrator must correctly configure SSH, Authentication, and Authorization on the router (both Authentication and Authorization are described in detail later in this guide). In addition to this, the router must have a Rivest, Shamir, and Adelman (RSA) key pair. These two requirements pertain to SSH configuration, which is a necessity due to the fact that SCP relies on SSH.
Because SSH and Authentication, Authorization, and Accounting (AAA) are described in detail later in this guide, the emphasis in this section is centered on the SCP feature. Therefore, do not worry if the SSH or AAA configuration presented here seems confusing at first glance, as it is provided simply for the sake of being thorough. You will learn about SSH and AAA theory and configuration in detail later in this guide.
The only SCP-related configuration command required in order to allow a router to support SCP server functionality is the ip scp server enable global configuration command. The other commands required for the SCP feature pertain to SSH and AAA configuration. In order to understand SCP, the following diagram will be used as an example, illustrating the configuration commands required to enable SCP server functionality on a Cisco IOS router:
Figure 2.1. Network Ready for SCP Configuration
Based on the network diagram illustrated above, R1 will be configured as an SCP server. In addition to this, R1 will also be configured as a TFTP server. The TFTP file that R1 will allow clients to download is named TEST, and this file will be stored on R1’s flash memory. Users wishing to download this file via must log in using the username SCPUSER with a password SCPPASSWORD. The configuration on R1 to perform this is implemented as follows:
NOTE: Do not focus on the SSH or AAA configuration. This is provided for the purposes of being thorough and is described later in this guide:
R1(config)#ip domain-name howtonetwork.net
R1(config)#crypto key generate rsa The name for the keys will be: R1.howtonetwork.net Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable…[OK]
R1(config)#aaa new-model R1(config)#aaa authentication login default group local R1(config)#aaa authorization exec default local R1(config)#username SCPUSER privilege 15 secret SCPPASSWORD R1(config)#ip scp server enable R1(config)#tftp-server flash:TEST R1(config)#exit R1# |
Next, R2 can then be configured to copy the file named TEST from R1 using SCP. This is performed by using the copy scp command, as illustrated in the following output:
R2#copy scp: flash:
Address or name of remote host []? 172.16.1.1 Source username [R2]? SCPUSER Source filename []? TEST Destination filename [TEST]? TEST Erase flash: before copying? [confirm]n Password: ! Verifying checksum… OK (0x6C6) 2766 bytes copied in 9.295 secs (298 bytes/sec) R2# R2#show flash:
System flash directory: File Length Name/status 1 19615064 c2600-advsecurityk9-mz.124-15.T9.bin 2 1038 home.shtml 3 2754 sdmconfig-26xx.cfg 4 112640 home.tar 5 1505280 common.tar 6 6389760 sdm.tar 7 931840 es.tar 8 2766 TEST [28567324 bytes used, 4462816 available, 33030140 total]32768K bytes of processor board System flash (Read/Write) |
Cisco IOS AutoSecure
The Cisco IOS AutoSecure feature eliminates the complexity of securing a router by creating a new CLI that automates the configuration of security features and disables certain features, which are typically enabled by default but could be exploited for security holes. AutoSecure provides the following mechanisms to enhance security access to the router:
- Simplified Router Security Configuration
- Enhanced Password Security
- Roll-back and System Logging Message Support
Simplified Router Security Configuration
AutoSecure is valuable to customers without special Security Operations Applications because it quickly allows them to secure their network without thorough knowledge of all the Cisco IOS features and commands.
This feature eliminates the complexity of securing a router by creating a new CLI that automates the configuration of security features and disables certain features, which are typically enabled by default but could be exploited for security holes.
Enhanced Password Security
AutoSecure provides two mechanisms to enhance password security on the router. The first mechanism is the ability to configure a required minimum password length, which can eliminate common passwords, such as ‘cisco’, for example.
The second mechanism is the ability to generate Syslog messages after the number of unsuccessful attempts exceeds the configured threshold.
Roll-back and System Logging Message Support
AutoSecure also provides support for the roll-back of the AutoSecure configuration. Roll-back enables a router to revert back to its pre-AutoSecure configuration state if the AutoSecure configuration fails or does not work as expected.
The two main focuses of the AutoSecure feature are to secure the Management plane and the Forwarding plane. The Management plane is the logical path of all traffic related to the management of a router. The Management plane performs management functions for a network and is used to manage a device through its connection to the network. Some examples of protocols that are processed in the Management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for CLI access.
The Forwarding plane refers to a router’s forwarding path involved in processing transit traffic or traffic that is destined to the router. The Forwarding plane constitutes the packet-forwarding, switching, and queuing components involved in the packet flow. Examples of features covered in Forwarding plane security are ACLs and Unicast Reverse Path Forwarding (uRPF).
Securing the Management Plane
Cisco IOS AutoSecure secures the Management plane by disabling certain global and interface services that can potentially be exploited for security attacks and, at the same time, enabling global services that help mitigate the threat of attacks. In addition to this, AutoSecure configures secure access and secure logging for the router. After enabling this feature, via the auto secure command, the following global services will be disabled on the router without prompting the user:
- Finger—which can be used to collect information about the system before an attack. If enabled, the information can leave your device vulnerable to attacks. This is disabled by issuing the no service finger command.
- PAD— which enables all packet assembler and disassembler (PAD) commands and connections between PAD devices and access servers. If enabled, it can leave your device vulnerable to attacks. This is disabled by issuing the no service pad command.
- Small Servers— these can allow for TCP and User Datagram Protocol (UDP) diagnostic port attacks, where a sender transmits a volume of fake requests for UDP diagnostic services on the router, consuming all CPU resources. These are disabled by issuing the no service tcp-small-servers and the no service udp-small-servers commands.
- BOOTP Server—BOOTP is an unsecure protocol that can be exploited for an attack. This feature is disabled by issuing the no ip bootp server command.
- HTTP Server—without Secure HTTP (HTTPS) or authentication embedded in the HTTP server with an associated ACL, the HTTP server is unsecure and can be exploited for an attack. The HTTP server is disabled by issuing the no ip http server However, if you must enable the HTTP server, you will be prompted for authentication or an ACL.
- Identification Service—this is an unsecure protocol, defined in RFC 1413, that allows one to query a TCP port for identification. An attacker can access private information about the user from the ID server. This is disabled by issuing the no ip identd command.
- CDP— while CDP is generally a useful and desirable service, it is important to know that if a large number of Cisco Discovery Protocol (CDP) packets are sent to the router, the available memory of the router can be consumed, causing the router to crash. CDP is disabled by issuing the no cdp run command.
- NTP—without authentication or access-control, Network Time Protocol (NTP) is unsecure and can be used by an attacker to send NTP packets to overload or crash the router. NTP is disabled by issuing the no ntp However, if you want to enable NTP, you must configure NTP authentication using MD5, as well as an ACL, to filter NTP sources. If NTP is enabled globally, disable it on all interfaces on which it is not needed.
- Source Routing— this allows users to control (to some extent) the path a packet will take from source to destination. This may be used by attackers to bypass firewalls or other mechanisms and is therefore disabled by using the no ip source-route command.
In addition to the global services that are disabled by AutoSecure, the following interface services are also disabled by the AutoSecure feature:
- ICMP redirects— these allow for hosts to be redirected by other gateways with better paths to the intended destination but do not add a useful functionality to a correctly configured network. These are disabled on interfaces via the no ip redirects command, as this feature could be used by attackers to exploit security holes.
- ICMP unreachables—ICMP unreachables are a known cause for some ICMP-based DoS attacks and are sent when a service or port is unreachable. These are disabled on interfaces via the no ip unreachables command.
- ICMP mask reply messages— these messages can give an attacker the subnet mask for a particular subnet in the internetwork and are therefore disabled via the no ip mask-reply interface configuration command.
- Proxy-Arp— this allows a router to respond on behalf of another device. Proxy-Arp requests are a known cause for DoS attacks because the available bandwidth and resources of the router can be consumed in an attempt to respond to the repeated requests that are sent by an attacker. Proxy-ARP is disabled via the no ip proxy-arp command.
- Directed broadcast— this feature allows routers to forward directed broadcasts, which can potentially be used for DoS smurf attacks. This feature is disabled by issuing the no ip directed-broadcast command.
- Maintenance Operations Protocol (MOP) service—MOP is used for utility services such as uploading and downloading system software, remote testing, and problem diagnosis. Because of this, it is possible to be used for malicious activities by an attacker. MOP is disabled by issuing the no mop enabled command.
Finally, AutoSecure enables several global services, further secures the router, and enables logging and. AutoSecure performs the following:
- Enables the service password-encryption command, which prevents passwords from being visible in the configuration.
- Enables the service tcp-keepalives-in and service tcp-keepalives-out commands, which ensure that abnormally terminated TCP sessions are removed.
- If a text banner does not exist, users will be prompted to add a banner.
- The login and secret commands are configured on the CON, AUX, VTY, and TTY lines. The transport input [telnet|ssh] and transport output [telnet|ssh] commands are configured on all of these lines. Also, the exec-timeout 10 command is configured on the CON and AUX.
- When the image on the device is a crypto image, AutoSecure enables SSH and SCP for access and file transfer to and from the router. The ip ssh timeout [seconds] and ip ssh authentication-retries [number] options for SSH are configured to a minimum number. Telnet and FTP are not affected by this operation and remain operational.
- If the AutoSecure user specifies that his or her device does not use Simple Network Management Protocol (SNMP) in interactive mode, the user is asked whether to disable SNMP, regardless of the values of the community strings, which act like passwords to regulate access to the agent on the router; however, in non-interact mode, SNMP will be disabled if the community string is ‘public’ or ‘private.’
- AutoSecure enables sequence numbers and time stamps for all debug and log messages via the service sequence-numbers and service timestamps [options] This is useful when auditing logging messages.
Securing the Forwarding Plane
Unlike the Management plane, there are considerably fewer recommendations that can be implemented to secure the Forwarding plane, as follows:
- Cisco Express Forwarding
- TCP Intercept
- Unicast Reverse Path Forwarding
- Context-Based Access Control
Cisco Express Forwarding (CEF) is used to increase packet switching speed, reducing the overhead and delays introduced by other routing techniques, and to increase overall router performance. While going into detail on CEF is beyond the scope of the IINS course requirements, it is important to know that routers configured for CEF perform better under SYN attacks than routers using the traditional cache. CEF is enabled by issuing the ip cef command.
The TCP Intercept feature implements software to protect TCP servers from TCP SYN flooding attacks, which are a type of DoS attack. This feature helps prevent SYN flooding attacks by intercepting and validating TCP connection requests. As is the case with CEF, going into detail on the TCP Intercept feature is beyond the scope of the IINS course requirements. However, if the TCP Intercept feature is available, it can be configured on the router for connection timeout. TCP Intercept is enabled by using the ip tcp intercept [options] command.
Unicast Reverse Path Forwarding (uRPF) was described in Chapter 1. The uRPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. This feature is enabled by the ip verify unicast reverse-path [options] interface configuration command.
Context-Based Access Control (CBAC) is an integral part of the Cisco IOS Firewall. CBAC intelligently filters TCP and UDP packets based on Application Layer protocol session information. This feature, which is described in detail later in this guide, is enabled by using the ip inspect [options] command.
Enabling and Using AutoSecure
Now that we have an understanding of the AutoSecure feature, the next logical step is how to use or implement this feature. AutoSecure is enabled by using the auto secure [options] privileged EXEC command. The options available with this command are as follows:
R2#auto secure ?
firewall AutoSecure Firewall forwarding Secure Forwarding Plane full Interactive full session of AutoSecure login AutoSecure Login management Secure Management Plane no-interact Non-interactive session of AutoSecure ntp AutoSecure NTP ssh AutoSecure SSH <cr> |
Because this command provides numerous options, it is important to discuss the options that pertain to the IINS course requirements. These options are firewall, forwarding, management, and no-interact.
The firewall option is used to enable CBAC, which is a feature of the overall Cisco IOS Firewall solution. The forwarding option secures only the router Forwarding plane. The management option is used to secure only the Management plane. And, finally, if the no-interact option is selected, the AutoSecure feature does not prompt the user for any interactive configurations. However, if no options are specified, the user will be prompted for all interactive options, which is the equivalent of the auto secure full command.
The following illustration demonstrates how to enable the AutoSecure feature to secure an Internet-facing router by using the auto secure firewall command:
Figure 2.2. Enabling AutoSecure
The steps to perform this configuration are illustrated in the following output:
R2#auto secure firewall
— AutoSecure Configuration —
*** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks ***
AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for AutoSecure documentation. At any prompt you may enter ‘?' for help. Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes Enter the number of interfaces facing the internet [1]: 1
Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.1.2 YES NVRAM up up Serial0/0 150.1.1.2 YES manual up up Enter the interface name that is facing the internet: Serial0/0
Configure CBAC Firewall feature? [yes/no]: yes
This is the configuration generated:
ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any interface Serial0/0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in ! end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
R2# R2# |
Once the configuration has been applied to the running-config, do not forget to save it to NVRAM (startup-config); otherwise, all changes and implementations will be lost if the router is rebooted or reloaded. The current configuration can be saved to NVRAM using either the copy running-config startup-config command or the copy system:running-config nvram:startup-config command.
The Cisco SDM Security Audit Feature
Cisco SDM provides an intuitive router security audit feature with one-step security audit capability that validates router configurations against a list of common security vulnerabilities and Cisco-recommended settings and provides a summary of recommended best practices.
The audit report highlights the potential security problems identified in the router configuration and can generate corresponding configurations to correct the shortfalls. The SDM Security Audit feature operates in one of two modes—the Security Audit wizard, which lets you choose which potential security-related configuration changes to implement on your router, and One-Step Lockdown, which automatically makes all recommended security-related configuration changes. This section focuses exclusively on the Security Audit wizard; the One-Step Lockdown mode is described in the next section.
To begin the Cisco SDM Security Audit feature, select Security Audit in the left frame of the configuration page, as illustrated by the arrow in the following screenshot:
Figure 2.3. Select Security Audit
On the following screen, click on the Perform security audit button, as illustrated by the arrow in the following screenshot:
Figure 2.4. Perform Security Audit
This action launches the Security audit wizard. The following page provides an overview of the actions that will be performed via the security audit. Click on Next to proceed:
Figure 2.5. Security Audit Wizard
The previous action brings you to the Security audit interface configuration page. Depending on the interfaces on your router, you need to select an outside interface (i.e. one that is connected to an untrusted network, such as the Internet) and an inside interface (i.e. one that is connected to a trusted network, such as the corporate LAN).
The router used in this example has two interfaces: Serial0/0 (which is connected to the Internet) and FastEthernet0/0 (which is connected to the trusted LAN); therefore, Serial0/0 is marked as untrusted (outside), while FastEthernet0/0 is marked as trusted (inside). Once your selection has been made, click on Next:
Figure 2.6. Designate Inside and Outside Interfaces
Once you click on Next, the Security Audit is performed, and you will be brought to the Security audit screen. A screen showing the progress of this action appears, listing all of the configuration options being tested for and whether the current router configuration passes those tests.
You can use the scroll bar on the right to scroll down and look at the status of the entire report. If you want to save this report to a file for later viewing and consideration, simply click the Save Report button illustrated in the following screenshot:
Figure 2.7. Security Audit is Performed
However, if you want to implement the recommendations of the Security Audit, simply click on the Close button. This will bring you to the following screen:
Figure 2.8. Options to Fix Issues
As illustrated in the screenshot above, an administrator can select the Fix All button to fix all issues identified in the Security Audit or individually select the features he or she would like fixed or implemented by simply checking the Fix it checkboxes on the right-hand side.
In addition to fixing implementing issues identified in the Security Audit, SDM is also capable of undoing changes identified in the Security Audit. If the Select an option: drop-down menu is clicked, administrators have the option to undo previously implemented security changes:
Figure 2.9. Changes Can Be Undone
As is the case with the Fix the Security problems options, administrators can choose to undo all configurations by clicking on the Undo All button or they can individually select which security configurations to undo by checking the Undo check boxes on the right-hand side.
Depending on the option selected and the boxes checked for that option, the next step is to click on the Next button. In our example, only a few select services have been selected to be fixed, as illustrated in the following screenshot:
Figure 2.10. Click ‘Next’ to Confirm Changes
After clicking Next, SDM prints a summary of the changes the administrator specified:
Figure 2.11. Click ‘Finish’ to Progress
The next step is to click on the Finish button. Once clicked, the SDM prepares the commands that it will deliver to the router and implements them. The final screen provides a summary of the number of commands delivered to the router. To complete the implementation, click on the OK button, as illustrated in the following screenshot:
Figure 2.12. Commands Delivered to Router
An often forgotten step is saving the configuration to NVRAM. It is important that you do not forget this step; otherwise, all applied configuration will be lost if the router is reloaded. To save the running configuration to NVRAM using SDM, simply click on the Save button illustrated by the arrow in the following screenshot, and then click on the Yes button to copy the running-config to the startup-config:
Figure 2.13. Copy Run Start
The Cisco SDM One-Step Lockdown Feature
In addition to the Security Audit feature, Cisco SDM can also perform a one-step lockdown function to configure the router for recommended best practices security configuration. The One-Step Lockdown feature performs numerous tasks, which are basically the same tasks performed by the Cisco IOS AutoSecure feature via the auto secure full command.
To enable the One-Step Lockdown feature, click on the One-step lockdown button on the Security Audit page, right below the Perform security audit section, as illustrated by the arrow in the following screenshot:
Figure 2.14. One Step Lockdown
Cisco SDM will then bring up a warning message. To proceed, simply click on Yes:
Figure 2.15. Warning Message Displayed
Once you have clicked on Yes, SDM prepares the commands that it will deliver to the router and the following screen appears, presenting a summary of the recommended actions. To allow SDM to proceed, and implement these settings on the router, click on the Deliver button:
Figure 2.16. Commands Delivered to Router
Once the configuration has been delivered to the router, i.e. the router has been configured by SDM, do not forget to save the configuration to NVRAM; otherwise, all changes will be lost in the event that the router is rebooted. The router is locked down and the SDM one-step lockdown process is complete. As you can see, it is a very straightforward and easy process.
Chapter Summary
The following section is a summary of the major points you should be aware of in this chapter:
Securing administrative access to IOS routers
- The Cisco IOS CLI is divided into different command modes, all of which are unique.
- The standard order in which a user would access the modes would be:
- User EXEC mode
- Privileged EXEC mode (enabled mode)
- Global configuration mode
- Specific configuration modes
- Configuration submodes
- Configuration sub-submodes
- The enable [privilege level] command is used to move to privileged EXEC mode.
- Privilege levels range from 1 to 15, with 1 being the lowest and 15 being the highest.
- It is not recommend using the enable password command due to the weak hash algorithm.
- The enable password command stores the password in plain text format.
- The service password-encryption command hashes the plain enable and line passwords.
- The enable secret command provides an MD5 has and should be used to set passwords.
- All command privilege levels can be adjusted by using the privilege
- The security passwords min-length command specifies the minimum password lengths.
Usernames, user passwords and privilege levels
- Cisco IOS devices can then to be configured so that local and remote sessions to the router are granted access based on configured username and password pairs.
- There are two types of passwords that were associated with usernames:
- Type 0, a clear text password visible to any user who has access to privileged mode.
- Type 7, which has a password encrypted by the service password-encryption command
- In Cisco IOS Releases 12.0(18)S, 12.2(8)T, and later, the secret keyword for the username command allows you to configure MD5 encryption for user passwords.
- In order to allow terminal lines to authenticate users based on configured usernames, the login local configuration command is required under the terminal lines.
- The username [name] secret [password] autocommand [command] command can also be used to further restrict users by immediately executing a specified command for a particular user and then logging the user off automatically.
Cisco IOS Login Block
- The Cisco IOS Login Block feature (a part of the Cisco IOS Login Enhancements feature set), allows administrators to enhance the security of a router by configuring options to automatically block login attempts when a possible DoS or password attack is detected.
- The login block and login delay options introduced by this feature can be configured for Telnet, SSH or HTTP connections.
- This feature provides enhanced security over the security authentication failure rate <threshold-rate> log functionality.
Cisco IOS Role-based Command Line Interface
- The Cisco IOS role-based CLI access feature allows administrator to define views, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands.
- Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information, i.e. a view can define what commands are accepted and what configuration information is visible.
- In order to configure the role-based CLI access feature, two prerequisites must be met:
- First, AAA must be enabled on the router via the aaa new-model
- Second, the system must be in root view. This is done via the enable view
- All views MUST have a password (secret) configured, otherwise they will not be enabled.
- In addition to basic (normal) views, it is also possible to configure a superview.
- A superview consists of one or more already configured CLI views
- A CLI view can be shared among multiple superviews and has the following characteristics:
- A CLI view can be shared among multiple superviews.
- Commands cannot be configured for a superview.
- Superview users can access all commands for any CLI views that are part of the superview.
- Each superview has a password that is used to switch between superviews.
- If a superview is deleted, all CLI views associated with that superview will not be deleted.
Securing Cisco IOS router files and images
- The Cisco IOS resilient configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).
- The resilient configuration feature has the following characteristics:
- The copy of the running configuration that was in the router when the feature was first enabled is used as the configuration file in the primary bootset.
- The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.
- The feature automatically detects Cisco IOS image or configuration version mismatch.
- Only local storage (i.e. on the router itself) is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.
- The feature can be disabled only through a console session, which means that the administrator must have physical access to the router to perform this; enhancing security.
- In addition to the Cisco IOS resilient configuration feature, administrators can also leverage the IOS image verification.
- IOS image verification allows administrators to automatically verify the integrity of Cisco IOS images, thus ensuring that the image is protected from corruption.
- SCP provides a secure and authenticated method for copying configuration or image files.
- SCP relies on Secure Shell (SSH) and Authentication, Authorization and Accounting (AAA).
Cisco IOS AutoSecure
- AutoSecure provides the following mechanisms to enhance security access to the router:
- Simplified Router Security Configuration
- Enhanced Password Security
- Roll-Back and System Logging Message Support
- Cisco IOS AutoSecure secures the Management and Forwarding planes by disabling certain global and interface services that can be potentially exploited for security attacks and, at the same time, enabling global services that help mitigate the threat of attacks.
The Cisco SDM Security Audit Feature
- SDM provides an intuitive router security audit feature with one-step security audit capability that validates router configurations against a list of common security vulnerabilities and Cisco recommended settings, and provides a summary of recommended best practices.
- The SDM Security Audit feature operates in one of two modes—the Security Audit wizard, which lets you choose which potential security-related configuration changes to implement on your router, and One-Step Lockdown, which automatically makes all recommended security-related configuration changes.
- The audit report highlights the potential security problems identified in the router configuration and can generate corresponding configurations to correct the shortfalls.
- The Security Audit Feature is launched from the Security page as illustrated below:
The Cisco SDM One-Step Lockdown Feature
- Cisco SDM can also perform a one-step lockdown function to configure the router for recommended best practices security configuration.
- The one-step Lockdown feature performs numerous tasks, which are basically the same tasks performed by the Cisco IOS AutoSecure feature via the auto secure full
- One-step Lockdown is launched from the Security page as illustrated below:
Commands Used in this Chapter
The following section is a summary of the commands used in this chapter:
Command | Description |
enable [privilege level] | Used to navigate to privileged EXEC mode |
enable password level [level] [password] | Used to set the enable password (not safe) |
enable secret level [level] [password] | Used to set the enable secret (recommended) |
service password-encryption | Encrypts the enable and line passwords |
privilege [mode] [all|level] [level] [command] | Used to specify default privilege levels for commands (e.g. EXEC or Config commands) |
password | Used to specify terminal line passwords |
exec-timeout | Sets the interval that the EXEC command interpreter waits until user input is detected on terminal lines (e.g. VTY and CON) |
lockable | Allows terminal lines to be locked/unlocked |
security passwords min-length <length> | Sets the minimum password length for user, enable, and terminal line passwords |
security authentication failure rate <threshold-rate> log | used to configure the number of allowable unsuccessful login attempts |
logging on | Enables logging |
logging host <address> | Enables logging to a remote Syslog server |
login block-for [seconds] attempts [tries] within [seconds] | Used to configure the router for login parameters and specifies the amount of time the router should remain in the quiet period if the administrator specified number of failed attempts is exceeded within the specific period of time |
login quiet-mode access-class [ACL] | Specifies an ACL that is to be applied to the router when it switches to quiet mode to allow access to the subnets specified in the ACL |
login delay [seconds] | Used to configures a delay between successive login attempts |
login on-failure log every [number] | Used to generate Syslog messages for failed login attempts |
login on-success log every [number] | Used to generate Syslog messages for successful login attempts |
logging buffered [severity] | Enables logging to the local router buffer |
logging trap [severity]
|
Specifies the severity of logs to send to a remote Syslog server |
show login [failures] | Used to view Login Block information |
show logging | Used to view logging information |
aaa new-model | Enables AAA on the router |
enable view [name] | Used to access the root (or any other) view |
show privilege | Used to view the current user privilege level |
parser view [name] | Used to configure a view |
commands [mode] (include | include-exclusive | exclude) [all] [interface (name) | command] | Used to specify the commands that are included, or excluded from the view being configured |
view | Used to add CLI views to a superview |
secure boot-image | Used to enable Cisco IOS image resilience |
secure boot-config | Used to store a secure copy of the primary bootset in persistent storage. |
dir | Used to view directories (e.g. in Flash) |
show secure bootset | Used to verify archive existence |
file verify auto | Enables IOS image validation |
copy system:running-config nvram:startup-config | Saves the running-config (RAM) to the startup-config (NVRAM) |
Reload [options] | Reloads the device (i.e. router) |
copy [options] | Used to copy files to and from the router |
ip scp server enable | Enables SCP server functionality |
ip domain-name [name] | Configures a Domain for the router |
crypto key generate rsa | Generates RSA key pair |
aaa authentication [options] | Configures AAA Authentication |
aaa authorization [options] | Configures AAA Authorization |
tftp-server [options] | Enables TFTP server functionality |
copy scp | Used to perform SCP copying |
no service finger | Disables Finger |
no service pad | Disables PAD |
no service tcp-small-servers | Disables TCP small servers |
no service udp-small-servers | Disables UDP small servers |
no ip bootp server | Disables BOOTP server |
no ip http server | Disables HTTP server |
no ip identd | Disables the Identification service |
no cdp run | Disables CDP |
no ntp | Disables NTP |
no ip source-route | Disables source-routing |
no ip redirects | Disables ICMP redirects |
no ip unreachables | Disables ICMP unreachables |
no ip mask-reply | Disables ICMP mask reply messages |
no ip proxy-arp | Disables Proxy-ARP |
no ip directed-broadcast | Disables directed Broadcast forwarding |
no mop enabled | Disables MOP |
service tcp-keepalives-in | Enables keepalives for inbound TCP sessions |
service tcp-keepalives-out | Enables keepalives for outbound TCP sessions |
transport input [telnet|ssh] | Enables Telnet or SSH for terminal lines |
ip ssh timeout [seconds] | Specifies the idle timeout for SSH sessions |
ip ssh authentication-retries [number] | Specifies the number of times SSH users are allowed to attempt to authenticate successfully |
service sequence-numbers | Enables sequence numbers for logs and debugs |
service timestamps [options] | Enables timestamps for logs and debugs |
ip cef | Enables CEF |
ip tcp intercept [options] | Enables TCP intercept and sets desired options |
ip verify unicast reverse-path [options] | Enables uRPF |
ip inspect [options] | Enables CBAC |
auto secure [options] | Enables AutoSecure functionality |